Security Center

Investment and Loan Platform Exposes Thousands of Private Acc Details

2017-05-10

By Security Center

Database records left publically available containing private data of businesses are now secured.

Kromtech Security Researchers discover a massive trove of data from U.S. businesses and investors that were connected to the peer-to-peer lender Funding Circle. Funding Circle allows investors to lend money directly to small and medium-sized businesses. As of February 2017, UK based Funding Circle has facilitated over $3.2 Billion Dollars (£2.5 billion) in loans to small and medium-sized firms. Funding Circle operates in the U.K., the U.S., Germany and the Netherlands, and globally it has helped 25,000 businesses get loans and 60,000 investors.

Kromtech Researchers discovered the misconfigured Apache Hive database while conducting a security audit using public Shodan API and immediately knew that it contained financial information based on the file names and content.

А member of the Kromtech Security Research team alerted Funding Circles information security specialist who confirmed the discovery and quickly isolated the 8 IP addresses from any external access. We can confirm that the data has been taken offline and is no longer publically available. Their log analysis indicates that there was no other access of the data by a third-party other than by our team.

The database was structured to include private data sets from 3rd parties and credit agencies such as Dun & Bradstreet, Experian, Powerlytics, as well as personal and enterprise information originating from a Funding Circle sub-servicer in the U.S. These companies provide data on companies and individuals to help businesses target new customers

The exposed database was isolated to Funding Circles U.S. business and contained no data from other markets in which Funding Circle operates. Among the sensitive data discovered included:

5,974 U.S. business owners SSN and 3,946 EIN numbers, credit scores, and business loan histories

Millions of U.S. business names, business addresses and contact details, and CEO/business owners name and professional details

More than 13 million marketing email addresses with the contacts of decision-makers inside U.S. businesses and gov't organizations.

More than 45 thousand internal notes that summarize customer updates or conversations from loan servicing.

Yet another wakeup call for lending institutions to audit their data storage practices. Due to its specifics, Apache Hive architecture is widely used for analysis of the large datasets stored in different repositories (such as Hadoop HDFS and Amazon AWS) and in some cases, if you can access the host/port over the network, you can access the data. According to Shodan reports, only in the US there are more than 600 indexable instances of Apache Hive, with more than 1,100 servers worldwide.

This is why it's important to follow the golden rules of 'cyber hygiene': you need to continuously check (ping) your 'internal' IP from the external environment. And, of course, don't forget to put a password on a backup device.

Researchers were able to identify the connection to Funding Circle by information in the internal notes that were also stored on the server. Researchers sent the breach notification and Funding Circle the US confirmed that the data was in fact theirs. With at least 8 unique IP addresses exposing data, they were shocked to learn of the potential breach and have since secured the data.

Is rare for companies or organizations to be thankful or acknowledge a data breach. However, they thanked the research team for reporting the misconfiguration and were fast and professional in their response and action.

We would like to add to the story an official statement from Funding Circle:

“A security researcher informed us of a vulnerability in one of our databases. As soon as we learned of the issue, we launched a full investigation, determined the cause, and immediately implemented a fix. Our log analysis highlights that there was no other access of this data by a third party other than the security researcher. We are grateful to him for bringing this to our attention and are currently conducting a full analysis with third-party support to ensure independent verification of our findings.

Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.